• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

OpenDNS Sheds Light on Domain Shadowing

By Owen Lystrup
Posted on November 24, 2015
Updated on March 4, 2020

Share

FacebookTweetLinkedIn

In March this year the Talos Security group at Cisco coined a name for an attack that hackers have been using since 2011 at least. Domain Shadowing is when an attacker gains admin access to a legitimate domain, and uses that legitimate domain to register a large amount of shady subdomains, usually with an exploit kit. For instance, visapayment.opendns[.]com instead of opendns[.]com. It’s becoming more common because of how easy it is to run a domain shadowing attack, and how hard they are to detect.
Using a Stolen Reputation
“Domain shadowing using compromised registrant credentials is the most effective, difficult to stop, technique that threat actors have used to date. The accounts are largely random so there is no way to track which domains will be used next. Additionally, the subdomains are very high volume, short lived, and random, with no discernible patterns. This makes blocking increasingly difficult,” Cisco threat researcher Nick Biasini explained in his blog post about Domain Shadowing. The worst part is owners of the legitimate domain are often not aware it is being used for Domain Shadowing.
OpenDNS Security Labs researchers have also been tracking the rising popularity of exploit kits, and responded with a new security models and features to detect them. One feature is an addition to OpenDNS’s threat intelligence search engine, Investigate. Called Pattern Search, the feature essentially adds regular expression and wildcard searching to the search engine, allowing for much more correlative results.
SPRank and Predictive Discovery

Pattern Search in action looking for DGAs.
Pattern Search in action looking for DGAs.

Currently most blocking and detection mechanisms for Domain Shadowing rely on some sort of domain reputation system that rates good versus bad domains. But reputation scores, according to Technical Leader Dhia Mahjoub, are not enough to catch most Domain Shadowing attacks. Mahjoub along with Security Researcher Thomas Mathew recently announced a new security model get around this issue.
“Compromised domains that have a great historical reputation will easily fool a reputation system,” Mahjoub wrote in a blog post.  Furthermore, cheap hosting makes it difficult to assign meaningful scores for IP reputation as new ranges appear having no historical context to provide it a score. SPRank avoids these issues by analyzing the DNS request patterns to a domain.” In other words, reputation scores, upon seeing a C Name like Amazon[.]com, will give a compromised subdomain a pass, since Amazon is a well-known and highly reputable site.
How to Further Protect Against Domain Shadowing
Aside from advanced security solutions like Investigate, the key to protecting against Domain Shadowing lies in protecting the credentials of your site’s registrant, and monitoring for changes on the domain’s registrant account. “It’s one thing that people just don’t do,” Craig Williams, security outreach manager for Cisco Talos, told ThreatPost in an interview. “No one logs back into their registrant account unless they are going to change something, or renew it.”
Two-factor authentication is probably the first, most effective precaution. Most domain registration companies, even the often abused GoDaddy, offer two-factor authentication. Using it will ensure that even if admin credentials are compromised, they can’t be used to register a new malicious domain.
To find out more about IP Space Monitoring, read Mahjoub’s blog post (linked above) — also includes an in-depth explanation of SPRank. To see the Pattern Search function in action, read the blog post by Security Researcher Chip McSweeney who used it in an experiment to find DGAs with Python.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella